[PGP-USERS] Another Flaw in PGP found.
Heyman, Michael
Michael_Heyman at NAI.com
Tue Sep 4 12:02:21 EDT 2001
See <http://www.pgp.com/support/product-advisories/pgpsdk.asp>
A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID. If the
attacker can obtain a signature on their key from a trusted third
party, they can then add a second user ID to their key which is
unsigned. The attacker must then switch the unsigned false user ID to
primary and convince the victim to place the key on their keyring. In
such a case, some of the displays in PGP do not properly identify the
false user ID as invalid because the second user ID is fully valid.
Whenever PGP displays validity information on a per-user ID basis,
the display is correct. Thus, attentive users who examine the user
IDs of all public keys which they import to their keyrings will
immediately notice this problem before it could have any impact.
This issue was discovered and reported to Network Associates/PGP
Security, Inc. by Sieuwert van Otterloo.
> -----Original Message-----
> From: R. A. Hettinga [mailto:rah at shipwright.com]
> Sent: Monday, September 03, 2001 4:27 PM
> To: Digital Bearer Settlement List; dcsb at ai.mit.edu;
> cryptography at wasabisystems.com
> Subject: Fwd: [PGP-USERS] Another Flaw in PGP found.
>
>
>
> --- begin forwarded text
>
>
> Status: U
> Date: Mon, 3 Sep 2001 20:17:24 +0100
> To: usual at espace.net
> From: Fearghas McKay <fm at espace.net>
> Subject: Fwd: [PGP-USERS] Another Flaw in PGP found.
> Reply-To: "Usual People List" <usual at espace.net>
> Sender: <usual at espace.net>
> List-Subscribe: <mailto:usual-on at espace.net>
>
>
> --- begin forwarded text
>
>
> From: "Keith" <n6jpa at wvi.com>
> Organization: -
> To: pGP-Basics at yahoogroups.com
> Date: Mon, 3 Sep 2001 12:07:25 -0700
> Subject: [PGP-USERS] Another Flaw in PGP found.
> Cc: pgp-users at cryptorights.org
> X-PGP-KEY: 0x8929971E
> X-URL:
> http://keyserver.pgp.com/pks/lookup?op=get&exact=off&search=0x8929971E
> X-PGP-EMAIL: n6jpa at wvi.com
> X-PGP-FINGERPRINT: F115 8217 2300 747B 69FD 498F BC0A 31B1 8929 971E
> X-PGP-KEY-DATE: 07/11/2001 Expires 07/11/2002
> Sender: pgp-users-admin-human at cryptorights.org
> Reply-To: pgp-users at cryptorights.org
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> It seems a programer has found another security flaw
> in PGP. Details tomorrow and the web page is at:
> http://www.security.nl/artikel.php3?id=2293 if you read Dutch.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBO5PU3bwKMbGJKZceEQI7FACgwMnUV0zDjIF4TG5Df636NQaRmuoAoOub
> rbDtGn3YmaId3B8AstQ59m4f
> =KhFO
> -----END PGP SIGNATURE-----
>
>
> --
> Best Regards,
>
> Keith YahooIM:strongsignals_com AIM:KeithYit23
> ==========================================================
> Find Windows Freeware @ http://strongsignals.com/
> The rec.radio.swap Email List
> http://groups.yahoo.com/group/recradioswap/
> Microsoft said OE5 or better so I installed Pegasus V4!
> ==========================================================
>
>
>
>
> ....................................................................
> Unsubscribe:
<mailto:pgp-users-listbot at cryptorights.org?body=unsubscribe>
Automated Help/Info: <mailto:pgp-users-listbot at cryptorights.org?body=help>
List Homepage: <http://cryptorights.org/pgp-users/>
List Admin (human): <mailto:pgp-users-admin-human at cryptorights.org>
Please do not send administrative commands to the list address! Thanks.
--- end forwarded text
--- end forwarded text
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list